Quantum key distribution with realistic states: photon-number statistics in the 

photon-number splitting attack 
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Quantum key distribution can be performed with practical signal sources such as weak coherent 
pulses. One example of such a scheme is the Bennett-Brassard protocol that can be implemented 
via polarization of the signals, or equivalent signals. It turns out that the most powerful tool at the 
disposition of an eavesdropper is the photon-number splitting attack. We show that this attack can 
be extended in the relevant parameter regime such as to preserve the Poissonian photon number 
distribution of the combination of the signal source and the lossy channel. 



I. INTRODUCTION 

Quantum Key Distribution (QKD) allows to generate 
a long secret shared key between two parties, conven- 
tionally named Alice and Bob, from a short initial secret 
key. Part of that newly generated key can then be used 
up by sending an unconditionally secure secret message 
via the one-time pad, also called Vernam cipher JÏJ . The 
remaining part is retained to repeat the QKD protocol 
to generate new key. The first complete protocol is that 
by Bennett and Brassard, BB84 g, although Wiesner 
formulated bàsic ideas earlier || . 

In ideal QKD protocols we are required to use particu- 
lar states for which the preparation is beyond our present 
experimental capability, such as single photon states on 
which we can imprint signals in form of specific polar- 
izations. For example, for the BB84 protocol we would 
use two pairs of orthogonal polarizations, e.g. horizon- 
tal/vertical linear polarization and right/left circular po- 
larization. 

Recently it has been proven that one can use real- 
istic signal sources such as weak làser pulses polarized 
in the four signal polarizations to perform QKD even 
in the presence of loss and noise in the quantum chan- 
nel. Indeed, in most experiments demonstrating the tech- 
nique required for QKD this signal source has been used 
H, p| pi ffl, @, fi. For eavesdropping attacks on such sig- 
nals, the security of the BB84 protocol in a realistic set- 
ting has been explored regarding attacks on individual 
signals in jïo|. The proof of unconditionally security of 
QKD with the BB84 protocol in this framework has been 
presented in ]ÏT[ . It turns out, that the combination of 
multi-photon signals of the source, such as weak làser 
pulses, together with loss in the quantum channel in the 
presence of errors leads to limitations of rate and distancc 
that can be covered by those techniques. These restric- 
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tions are due not only to the proving techniques but are 
of fundamental nature [ï^| , at least in a conservative ap- 
proach to security where all errors and losses are assumed 
to be due to eavesdropping activity. 

The limitation comes from the fact that the combina- 
tion of multi-photon signals of the source and loss in the 
transmission line opens the door for a powerful eaves- 
dropping attack, the Photon Number Splitting (PNS) 
attack that was first mentionend in . The bàsic step 
is that a signal consisting of two or more photons (multi- 
photon signal) can be split via a physical interaction |ÏC| ] 
by an eavesdropper (called Eve) such that Eve retains 
one photon and Bob receives the other photons such that 
the polarization of both parts remains undisturbed. The 
photon in Eve's hand will reveal its signal polarization to 
Eve if she waits long enough until she learns the polariza- 
tion basis during the públic discussion part of the BB84 
protocol. In the presence of loss, this attack can put Eve 
in a position that she knows the complete information 
about all signals received by Bob and no secure key can 
be generated. This is the case if the loss is strong enough, 
such that Bob expects to receive less signals than the sig- 
nal source prepares multi-photon signals. Then Eve can 
replace the lossy quantum channel by an ideal one, block 
all single-photon signals and use only multi-photon sig- 
nal to match Bob's expectation of non-vacuum pulses. If 
the loss is not high enough for this, then Eve can block 
only a fraction b of the single-photon signals, but she 
can perform some optimal eavesdropping attack on the 
remaining single-photon pulses. This constitutes her op- 
timal attack |[l0[[ . Despite this powerful attack, in this 
situation, if the error rate is not too high, Alice and Bob 
can establish a secure key, as has been shown in [JïoL ^ï) , 
in the Standard BB84 protocol where no photon-number 
statistics is monitored. Note that the PNS attack can be 
well approximated with linear òptics only fÏ4|| . 

One remaining open question is whether Alice and Bob 
might be able to detect that Eve performed the PNS at- 
tack. After all, the photon number statistics changes 
under the PNS attack as described above. In this paper, 
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we will show that is is possible to extend the PNS at- 
tack such that the photon number statistics, as seen by 
Bob, is indistinguishable from that resulting from weak 
làser pulses and a lossy channel. This result holds in the 
relevant paramter regime of mean photon number fi of 
the Poissonian photon number distribution of the weak 
làser pulse and of the transmission factor r\ of the quan- 
tum channel. The extension of the PNS attack allows the 
eavesdropper to remain undetected even if Alice and Bob 
measure the photon number distribution via coincidence 
rates in Bob's photodetectors. 



II. EXTENDED PNS ATTACK 

We consider a photon source emitting signals with a 
Poissonian photon number distribution with mean value 
fi. Weak làser pulses are well described by Fock states 
with this photon number distribution, but our analysis 
can be extended to other distributions. The quantum 
channel is described by a single-photon transmission ef- 
ficiency 77. Then we find at Bob's end of the quantum 
channel again a Poissonian photon number distribution 
with mean photon number fií], that is 



( W ) n 



exp[-f?/i] • 



(1) 



On the other hand, the PNS attack described above will 
give another photon number statistics. Let Eve perform 
the photon number splitting attack in which she blocks 
a fraction b of the single-photon signals. Then we find a 
resulting photon number distribution that is not Poisso- 
nian, namely 

!(1 + bfi) exp[— fi\ n = 

((1 - % + M 2 /2) exp[-fj] n = 1 ( 2 ) 
jtpïy. ex Ph^] n > 1 

To match the number of vacuum signals, we adjust b such 
that Pioss[0] = PpnsM- This leads to the expression 

bmatch = — (exp[/i(l - 77)] - 1) . (3) 

We find b match = for rj = 1, while b match = 1 for 
r\ = 1 — i ln[l + fi\. This last point corresponds precisely 

to the situation where 1 — Pi oss [0] = 1 — (1 + fi) exp[—fi] , 
that is, the number of non- vacuum signals arriving at the 
end of the lossy quantum channel is equal to the number 
of multi-photon signals emanating from the source. For 
vàlues of rj between these two extreme vàlues, b takes on 
vàlues in the interval (0, 1), and this is the regime we are 
dcaling with. 

With this choice the photon number distribution after 
Eve's attack takes the form 



Pmatch [n] 



exp[— rffi] 
fi 2 /2) exp[-/j] - 



exp[-77/i] 



n = 
n = 1 
n > 1 
(4) 



This photon number distribution is not Poissonian. The 
question is whether Eve can make it Poissonian with- 
out loosing any advantage of the PNS attack. It is easy 
to come up with a possible solution: Eve can extract 
not only one, but two or more photons from pulses de- 
pcnding on the photon number in each pulse. With this 
method it is possible to redistribute probabilities from 
higher to lower photon numbers, but not the other way 
round. Therefore the necessary and sufficient condition 
for the redistribution to be possible is that 
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> ^2 Pmatch[i] 
i=0 



(5) 



is satisfied for all n. This condition that the change of 
probability from any high-photon number part to a low- 
photon number part goes in the right direction. 

In order to work as an eavesdropping attack, we need 
to make sure that the number of non- vacuum signals re- 
mains unchanged. Indeed, in our extended strategy we 
will never take 'the last photon' out of a pulse, so the 
number of non-vacuum signals does not change. This 
guarantees that the information gain by Eve on the sig- 
nals remains unchanged. The only change is that of the 
photon number statistics of the signals arriving at Bob's 
end of the quantum channel. 



III. EVALUATION OF EXTENDED PNS 
ATTACK 

In this section we will show that the conditions (||) is 
satisfied in a parameter regime that we will show in the 
following section to be relevant to practical QKD. Thus 
we show that Eve can mimic Poissonian photon number 
distribution even while performing the PNS attack via 
our extension. 

We define the d n as the difference of the two probability 
distributions for given n, so that we have 



d n = PrnatchVA ~ Ploss N 



(6) 



Note that do = due to the matching via the blocking 
parameter b. We will show that in a relevant paramter 
regime we find that d n < for n G [1, n;] and d n > for 
n£ [ni + 1, 00]. This is sufficient (though not necessary) 
to fulfill the conditions (||). With other words, with in- 
creasing value of n, the difference d n vanishes for n = 0, 
then takes negative vàlues until for n > ni + 1 it turns 
positivc. 

Let us first show by induction that once the function 
turned positive, it will not turn back negative for n > 2 
and the parameter regime rj < 3/4. Assume that d n > 
for n > 2. This means 
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FIG. 1: As a function of the mean photon number /j and the 
transmission emciency n we see the area (grey shade) where 
the original PNS attack yields less single photon signals than 
the corresponding lossy channel. In this region the extended 
PNS attack is successful in that it mimics the lossy channel 
not only in the fraction of non-vacuum signals but also in the 
whole photon number statistics. 



Then it follows that 
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FIG. 2: We compare the approximation (dashed line) for 
the critical value r/o for which di vanishes with a numerical 
solution of cíi [770] = (sòlid line). 

di in /i, rj and neglect terms rj k fi l with k + l > 4, then we 
obtain 



d 1 « M 2 /2 (-/i/3 + M 2 /4 + V 2 ) 



(10) 



so that we find that the value 770 for which d\ vanishes 
can be approximated by 



na 



VV3 - M 2 /4 



(11) 



As we see from Fig. this is a good approximation for 
low photon numbers. Note that the lowest order of the 
approximation (10) is given by d\ ~ —fi 3 /6 which guar- 
antees that the extended PNS attack is always successful 
as long as \i and 77 are small. This is mirrored in the in- 
finitely steep rise of the limiting line shown in figure 0. 



We do not need to prové directly that there is some d ni > 
with ni > 2. Instead, we will show that in a suitable 
parameter regime d\ < 0. That proves together with the 
normalization ~Y^ =0 d n = and dg = that there must 
be some positive d n for n > 2. With other words, for rj < 
3/4 we find that d\ < is a sufficient condition to allow 
a redistribution of the photon number distribution after 
the PNS attack to make it Poissonain without changing 
the fiow of information between the parties. 

The required condition d\ < can be analyzed numer- 
ically only. It is given after a regrouping as 

(1 + /i + fi 2 /2) exp[-/x] - (1 + r?/i) exp[-?7/i] < . (9) 

The first term describes the fraction of signals containing 
or 1 photons after the original PNS attack while the 
second term describes the target value for this fraction. 
Note that we fixed the fraction of vacuum signals so that 
this is, indeed, a statement about the fraction of single- 
photon signals. The region where d\ is negative is plotted 
in figure 

The borderline shown in figure [ï]can be evaluated more 
closely in the typical regime were /z, 77 <C 1. If we expand 



IV. APPLICATION TO SECURITY PROOFS 
AND DISCUSSION 

From the security proofs JÏ0| , pd| we know the optimal 
choice of the mean photon number \i from the point of 
view of Alice and Bob. This optimization can be under- 
stood starting from the idea that Alice and Bob would 
like to optimize the gain rate of the QKD process. This 
gain rate G is bounded in a conservative scenario from 
above as G < ^ (S m — p exp ) with S m as the multi-photon 
probability of the source and p eX p as the fraction of non- 
vacuum signals detected by Bob. The factor 1/2 comes 
from a sifting state of the QKD protocol and is specific 
for the BB84 protocol. For other polarization based pro- 
tocols such as the six-state protocol |D| we find other fac- 
tors, however, the reasoning is independent of this factor. 
For our Poissonian distributed signals, we find 



Pexp) = ^ ( ex P[- u «] 



(l + /i)exp[- M ]) (12) 



and this expression is optimized for small vàlues of 77 by 
Mopt ~ V' As it turns out, that value remains approxi- 
mately optimal in a detailed analysis taking other error 
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sources into account ]Ï0| , [Tï| ] . In typical experiments we 
find that even higher photon numbers than the optimal 
ones are used. That pushes the working point even fur- 
ther away from the critical line in figure 

The statements above are made for a conservative sce- 
nario where all loss and all errors are attributed to Eve. 
It will be desirable to extend this analysis by making as- 
sumptions stating that Eve cannot change the dark count 
rate of Bob's detectors and cannot increase the detection 
efhciency. It turns out that this extension is not trivial 
at all. The analysis in our paper, however, puts some 
bounds on the results of such an analysis. Once Eve can 
perform an extended PNS attack such that her action 
mimics a lossy quantum channel both in the transmis- 
sion efficiency and the Poissonian photon number statis- 
tics, and she can block all single-photon signals, then the 
transmission cannot be secure. 

At the heart of our paper is the statement that stochas- 
tic processes such as loss in a quantum channel can be ex- 



plained by a rather cunning strategy of a third party, for 
example an eavesdropper. It means that the eavesdrop- 
per can access some preferred signals while suppressing 
othcrs such that the resulting action is indistinguishable 
even in principle from a normal lossy channel for given 
input signals. It is unclcar so far what input signals have 
to be chosen to make such a situation impossible. 
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